Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-43712 | AD.AU.0001 | SV-56533r4_rule | Medium |
Description |
---|
Monitoring the usage of administrative accounts can alert on suspicious behavior and anomalous account usage that would be indicative of potential malicious credential reuse. |
STIG | Date |
---|---|
Active Directory Domain Security Technical Implementation Guide (STIG) | 2018-09-13 |
Check Text ( C-66421r1_chk ) |
---|
Verify account usage events for administrative accounts are being monitored. This includes events related to approved administrative accounts as well as accounts being added to privileged groups such as Administrators, Domain and Enterprise Admins and other organization defined administrative groups. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools. Monitor for the events listed below, at minimum. If these events are not monitored, this is a finding. Account Lockouts (Subcategory: User Account Management) 4740 - A user account is locked out. User Added to Privileged Group (Subcategory: Security Group Management) 4728 - A member was added to a security-enabled global group. 4732 - A member was added to a security-enabled local group. 4756 - A member was added to a security-enabled universal group. Successful User Account Login (Subcategory: Logon) 4624 - An account was successfully logged on. Failed User Account Login (Subcategory: Logon) 4625 - An account failed to log on. Account Login with Explicit Credentials (Subcategory: Logon) 4648 - A logon was attempted using explicit credentials. |
Fix Text (F-71809r2_fix) |
---|
Monitor account usage events for administrative accounts. This includes events related to approved administrative accounts as well as accounts being added to privileged groups such as Administrators, Domain and Enterprise Admins and other organization defined administrative groups. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools. Monitor for the events listed below, at minimum. Account Lockouts (Subcategory: User Account Management) 4740 - A user account is locked out. User Added to Privileged Group (Subcategory: Security Group Management) 4728 - A member was added to a security-enabled global group. 4732 - A member was added to a security-enabled local group. 4756 - A member was added to a security-enabled universal group. Successful User Account Login (Subcategory: Logon) 4624 - An account was successfully logged on. Failed User Account Login (Subcategory: Logon) 4625 - An account failed to log on. Account Login with Explicit Credentials (Subcategory: Logon) 4648 - A logon was attempted using explicit credentials. The "Account Usage" section of NSA's "Spotting the Adversary with Windows Event Log Monitoring" provides additional information. https://www.iad.gov/iad/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm. |